nrabulinski/lix
0
0
Fork 0
forked from lix-project/lix
Code Pull requests Activity

installer: refuse apfs volume creation when FileVault is enabled

Browse source
This commit is contained in:
Daiderd Jordan 2020-03-26 21:51:13 +01:00
parent 3386575296
commit 477d7c2d07
No known key found for this signature in database
GPG key ID: D02435D05B810C96
2 changed files with 24 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
doc/manual/installation/installing-binary.xml
View file

@ -230,8 +230,10 @@ LABEL=Nix\040Store /nix apfs rw
</para> </para>
<para> <para>
This new volume also won't be encrypted by default, and enabling is This new volume also won't be encrypted by default, and enabling it
only possible interactively? requires extra setup. For machines with a <link xlink:href="https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf">T2 chip</link>
all data is already entrypted at rest, older hardware won't even when
FileVault is enabled for the rest of the system.
</para> </para>
<screen> <screen>

22
scripts/create-darwin-volume.sh
View file

@ -14,7 +14,12 @@ disk_identifier() {
xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" 2>/dev/null xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" 2>/dev/null
} }
volume_get() { volume_list_true() {
key=$1 t=$2
xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict/key[text()='$key']/following-sibling::true[1]" 2> /dev/null
}
volume_get_string() {
key=$1 i=$2 key=$1 i=$2
xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict[$i]/key[text()='$key']/following-sibling::string[1]/text()" 2> /dev/null xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict[$i]/key[text()='$key']/following-sibling::string[1]/text()" 2> /dev/null
} }
@ -24,7 +29,7 @@ find_nix_volume() {
i=1 i=1
volumes=$(apfs_volumes_for "$disk") volumes=$(apfs_volumes_for "$disk")
while true; do while true; do
name=$(echo "$volumes" | volume_get "Name" "$i") name=$(echo "$volumes" | volume_get_string "Name" "$i")
if [ -z "$name" ]; then if [ -z "$name" ]; then
break break
fi fi
@ -54,6 +59,12 @@ test_nix() {
test -d "/nix" test -d "/nix"
} }
test_filevault() {
disk=$1
apfs_volumes_for "$disk" | volume_list_true FileVault | grep -q true || return
! sudo xartutil --list >/dev/null 2>/dev/null
}
main() { main() {
( (
echo "" echo ""
@ -99,6 +110,13 @@ main() {
volume=$(find_nix_volume "$disk") volume=$(find_nix_volume "$disk")
if [ -z "$volume" ]; then if [ -z "$volume" ]; then
echo "Creating a Nix Store volume..." >&2 echo "Creating a Nix Store volume..." >&2
if test_filevault "$disk"; then
echo "error: FileVault detected, refusing to create unencrypted volume" >&2
echo "See https://nixos.org/nix/manual/#sect-apfs-volume-installation" >&2
exit 1
fi
sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix
volume="Nix Store" volume="Nix Store"
else else